RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-17 10:50:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: Write out genfscon file type when writing out CIL policy

Browse Source 
With an optional file type being added to CIL genfscon rules, it
should be used when writing out a kernel policy or module to CIL
when a genfscon rule should only apply to a single security class.

Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2021-11-10 09:08:56 -05:00
parent 03b1dcac2d
commit a46ade3f8f
2 changed files with 59 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
libsepol/src/kernel_to_cil.c
View File

@ -2645,6 +2645,8 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb)
struct ocontext *ocon;
struct strs *strs;
char *fstype, *name, *ctx;
uint32_t sclass;
const char *file_type;
int rc;
rc = strs_init(&strs, 32);
@ -2657,14 +2659,43 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb)
fstype = genfs->fstype;
name = ocon->u.name;
sclass = ocon->v.sclass;
file_type = NULL;
if (sclass) {
const char *class_name = pdb->p_class_val_to_name[sclass-1];
if (strcmp(class_name, "file") == 0) {
file_type = "file";
} else if (strcmp(class_name, "dir") == 0) {
file_type = "dir";
} else if (strcmp(class_name, "chr_file") == 0) {
file_type = "char";
} else if (strcmp(class_name, "blk_file") == 0) {
file_type = "block";
} else if (strcmp(class_name, "sock_file") == 0) {
file_type = "socket";
} else if (strcmp(class_name, "fifo_file") == 0) {
file_type = "pipe";
} else if (strcmp(class_name, "lnk_file") == 0) {
file_type = "symlink";
} else {
rc = -1;
goto exit;
}
}
ctx = context_to_str(pdb, &ocon->context[0]);
if (!ctx) {
rc = -1;
goto exit;
}
rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3,
fstype, name, ctx);
if (file_type) {
rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s %s)", 4,
fstype, name, file_type, ctx);
} else {
rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3,
fstype, name, ctx);
}
free(ctx);
if (rc != 0) {
goto exit;

27
libsepol/src/module_to_cil.c
View File

@ -2955,10 +2955,35 @@ static int genfscon_to_cil(struct policydb *pdb)
{
struct genfs *genfs;
struct ocontext *ocon;
uint32_t sclass;
for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) {
for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) {
cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
sclass = ocon->v.sclass;
if (sclass) {
const char *file_type;
const char *class_name = pdb->p_class_val_to_name[sclass-1];
if (strcmp(class_name, "file") == 0) {
file_type = "file";
} else if (strcmp(class_name, "dir") == 0) {
file_type = "dir";
} else if (strcmp(class_name, "chr_file") == 0) {
file_type = "char";
} else if (strcmp(class_name, "blk_file") == 0) {
file_type = "block";
} else if (strcmp(class_name, "sock_file") == 0) {
file_type = "socket";
} else if (strcmp(class_name, "fifo_file") == 0) {
file_type = "pipe";
} else if (strcmp(class_name, "lnk_file") == 0) {
file_type = "symlink";
} else {
return -1;
}
cil_printf("(genfscon %s \"%s\" %s ", genfs->fstype, ocon->u.name, file_type);
} else {
cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
}
context_to_cil(pdb, &ocon->context[0]);
cil_printf(")\n");
}